All of the HIPAA breach costs discussed in previous blog posts were direct costs – forensics, notification, and lawsuits. However, the most significant cost of a HIPAA breach is an indirect cost – lost business. In fact, many claim that loss business is the single largest cost of a breach. According to a Ponemon Institute study, when looking at multiple industries an organization can expect to lose nearly $4 million due to “abnormal turnover of customers, increased customer acquisition activities, reputational losses, and diminished goodwill.”
The indirect costs of a breach tend to be even higher in highly-regulated industries such as healthcare and financial services. Healthcare organizations in particular can experience high rates of customer turnover because of the sensitive and personal nature of the data involved in the breach. It has been reported that customer churn increases by 6.7% in the wake of a healthcare breach. Compared to retail, this is a three-fold increase in customer turn (2.2%).
In a recent survey conducted by Ponemon of customers who had been a victim of a data breach, 54% of respondents said that an organization couldn’t do anything to prevent them from discontinuing their relationship with that organization after a breach. Similarly, a study conducted by Semafone found that the majority of customers, whether or not they were the victim of a breach, would not do business with a company that had suffered a breach.